I need to identify the IP addresses that users are accessing my Confluence server from so that I can correctly filter them out in Apache.
JIRA already has an excellent log file which I can use for this (atlassian-jira-security.log) as detailed in
https://confluence.atlassian.com/adminjiraserver073/logging-and-profiling-861253813.html
atlassian-jira-security.log
.e.g.
2018-07-20 09:36:11,161 http-nio-8080-exec-149 url:/rest/dev-status/1.0/issue/summary joebloggs 576x346142x1 - 10.12.22.124,221.250.140.12 /rest/dev-status/1.0/issue/summary The user 'joebloggs' has PASSED authentication.
However this log file doesn't exist for Confluence and I can't seem to find a way to generate this information. Ideally I'd like a log entry for when a user passes authentication which includes the IP address they accessed Confluence from.
Is there a way to create this information in my logs on Confluence?
OK I've cracked it. This is all the things I needed to do.
Add the following to server.xml before </Engine> where the IP address is that of my server (logs the client's IP address instead of the Apache reverse proxy address)
<Valve
className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="192\.168\.10\.123"
remoteIpHeader="x-forwarded-for"
proxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
/>
In WEB-INF web.xml uncommented the following entry
<filter-mapping>
<filter-name>AccessLogFilter</filter-name>
<url-pattern>/display/*</url-pattern>
</filter-mapping>
In WEB-INF/classes log4j.properties uncomment and modify
log4j.category.com.atlassian.confluence.util.AccessLogFilter=INFO, accesslog
log4j.additivity.com.atlassian.confluence.util.AccessLogFilter=false
and added the following near the start of the file under the other appender declarations. The ConversionPattern is customised for my needs from the standard declaration.
log4j.appender.accesslog=org.apache.log4j.RollingFileAppender
log4j.appender.accesslog.Threshold=DEBUG
log4j.appender.accesslog.File=${catalina.home}/logs/atlassian-confluence-access.log
log4j.appender.accesslog.MaxFileSize=20480KB
log4j.appender.accesslog.MaxBackupIndex=5
log4j.appender.accesslog.layout=com.atlassian.confluence.util.PatternLayoutWithStackTrace
log4j.appender.accesslog.layout.ConversionPattern=%d %p [%t] %m%n
In the Windows service added the following line (forces IPv4 address as I was getting 0:0:0:0:0:0:1 IPv6 address)
-Djava.net.preferIPv4Stack=true
And now I have a new log file which gives date and time of access along with the username and client IP address
2018-08-15 11:11:23,020 INFO [http-nio-8090-exec-4] joebloggs GET https://con-testsvr/display/CT/task+list 5837972-291988 2587 192.100.22.102
Thanks to @Zak Laughton for pointing me in the right direction
Changing the url-pattern to only record the index.action which happens after a user logs in has reduced the size of the log file
<filter-mapping>
<filter-name>AccessLogFilter</filter-name>
<url-pattern>/index.action</url-pattern>
</filter-mapping>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Dalectric,
You can log user access along with their IP address by enabling User Access Logging in Confluence. See How to Enable User Access Logging.
-Zak
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks, I can see I can get close to what I require, but I can't seem to return the IP address, With the default values I get
2018-08-07 10:00:15,845 INFO [localhost-startStop-1] [atlassian.confluence.util.AccessLogFilter] init AccessLogFilter initialized. Format is: <user> <url> <starting memory free (kb)> +- <difference in free mem (kb)> <query time (ms)> <remote address>
2018-08-07 10:00:25,462 INFO [http-nio-8090-exec-3] [atlassian.confluence.util.AccessLogFilter] doFilter - GET https://ukcov-con/pages/viewpage.action 7702577-374790 1084 0:0:0:0:0:0:0:1
2018-08-07 10:00:30,744 INFO [http-nio-8090-exec-11] [atlassian.confluence.util.AccessLogFilter] doFilter - GET https://ukcov-con/login.action 7161220-397312 4636 0:0:0:0:0:0:0:1
2018-08-07 10:00:34,308 INFO [http-nio-8090-exec-8] [atlassian.confluence.util.AccessLogFilter] doFilter - POST https://ukcov-con/dologin.action 6568665-32595 807 0:0:0:0:0:0:0:1
2018-08-07 10:00:49,609 INFO [http-nio-8090-exec-4] [atlassian.confluence.util.AccessLogFilter] doFilter joebloggs GET https://ukcov-con/pages/viewpage.action 6536070+1184355 15273 0:0:0:0:0:0:0:1
Looking at the JIRA setting I see it has a specific API for handling this in
https://docs.atlassian.com/DAC/javadoc/jira/reference/com/atlassian/jira/util/log/Log4jKit.html
And you can see this in the log file setup on JIRA
log4j.appender.securitylog.layout.ConversionPattern=%d %t %X{jira.username} %X{jira.request.id} %X{jira.request.assession.id} %X{jira.request.ipaddr} %X{jira.request.url} %m%n
There doesn't appear to be the same API for Confluence so how can I add the IP address to the output log file for Confluence?
(I'm plugging away at this so if I find a way I'll post up the answer)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Looking at the this some more it seems that my remote address is coming through as IPv6 (0:0:0:0:0:0:0:1) and not IPv4 shown in the example (127.0.0.1). Any ideas why this would be?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Adding the following line to my Java options forced it to IPv4 format
-Djava.net.preferIPv4Stack=true
However the IP address is always the Confluence server address. Possibly due to the Apache reverse proxy that's in place. Further investigation ongoing.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
An alternative is to add the following to the server.xml before the </Engine> tag, and it does what I need, but it generates a lot of entries as each element from a page creates a log entry. That means the files will grow to a very large size very quickly.
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="conf_access_log"
fileDateFormat="-yyyyMMdd" suffix=".log"
pattern="%t %a %l %{X-Forwarded-For}i %{X-AUSERNAME}o "%{Referer}i" "%r" %b"
resolveHosts="false"/>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.